Network Security (8) Flashcards
Which of the following is the term for a network segment that is separated from the internal network by a firewall and exposed to the Internet?
AES
DMZ
VLAN
DMZ
A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a demilitarized zone (DMZ), or a perimeter network. Administrators typically use a DMZ for servers that must be accessible by outside users, such as web and email servers. Advanced Encryption Standard (AES) is an encryption algorithm. A honeynet is a network designed to entice attackers that provides no meaningful access to sensitive information. A virtual LAN (VLAN) is a network created within a switch
Which of the following best describes the process of penetration testing?
Administrators attempt to access the network from outside using hacker tools.
An organization hires an outside consultant to evaluate the security conditions on the network.
An organization hires an outside consultant who attempts to compromise the network’s security measures.
An organization hires an outside consultant who attempts to compromise the network’s security measures.
Penetration testing is when an outside consultant is engaged to attempt an unauthorized access to protected network resources. Testing by an internal administrator familiar with the security barriers would not be a valid test. While having a consultant examine the network’s security from within can be useful, this is not a penetration test. Computers or networks that are alluring targets for intruders are called honeypots or honeynets
Which of the following are the default administrative user accounts found in Windows and Linux operating systems? (Choose all correct answers.)
Administrator
root
admin
Control
Administrator
root
Administrator is the default administrative user account in Windows, and root is the administrative account in Linux. Control and admin are not privileged user accounts provided with the operating systems
Which of the following are network segmentation methods that can prevent intruders from gaining full access to a network? (Choose all correct answers.)
ACL
VLAN
NAC
DMZ
VLAN
DMZ
Virtual LANs can be used to isolate systems on a separate network segment. A demilitarized zone (DMZ), also called a perimeter network, is a network segment accessible from the Internet and separated from the internal network by a firewall. Both of these are methods for isolating systems to prevent security breaches from spreading beyond their bounds. Access control lists (ACLs) and Network Access Control (NAC) are both methods for enhancing network security, but they are not segmentation methods
Which of the following types of mitigation techniques is not applicable to servers?
Role separation
File integrity monitoring
DHCP snooping
DHCP snooping
DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. The other options are all techniques that are applicable to servers
On a wireless access point that uses an access control list (ACL) to specify which devices are permitted to connect to the network, which of the following is used to identify the authorized devices?
IP addresses
Device names
MAC addresses
MAC addresses
Wireless access points use the layer 2 MAC addresses coded into devices in their access control lists. Usernames, IP addresses, and device names can easily be impersonated
Which of the following network devices does not employ an access control lists to restrict access?
Routers
Hubs
Switches
Hubs
ACLs restrict access to network devices by filtering usernames, MAC addresses, IP addresses, or other criteria. Routers, switches, and wireless access points all use ACLs to control access to them. Hubs are purely physical layer devices that relay electrical or optical signals. They have no way of controlling access to them
Which of the following services are provided by access control lists (ACLs)?
Authentication
Authorization
Accounting
Authorization
ACLs define the type of access granted to authenticated users. This process is known as authorization. Authentication is the confirmation of a user’s identity. Accounting and auditing are both methods of tracking and recording a user’s activities on a network
Which of the following terms describes the threat mitigation technique of deploying individual applications and services on virtual servers so that no more than one is endangered at any one time, rather than deploying multiple applications on a single server?
Geofencing
Network segmentation
Role separation
Role separation
Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Geofencing is a technique for limiting access to a wireless network. Network segmentation describes the process of creating multiple VLANs or deploying firewalls to isolate part of a network. VLAN hopping is a type of attack in which an intruder sends command messages to a switch to transfer a port from one VLAN to another
Role separation is a threat mitigation technique that is applied to which of the following types of network components?
Switches
Servers
Routers
Servers
Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Switches, routers, and access points do not use this technique
Which of the following statements about DHCP snooping is not true?
DHCP snooping detects rogue DHCP servers.
DHCP snooping is implemented in network switches.
DHCP snooping prevents DNS cache poisoning.
DHCP snooping prevents DNS cache poisoning.
DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. Although DHCP snooping can prevent DHCP clients from being assigned an incorrect IP address, it does not directly prevent the poisoning of DNS server caches with erroneous information
At which layer of the OSI reference model does DHCP snooping operate?
Data link
Network
Transport
Data link
Although DHCP is an application layer service, which uses the UDP transport layer protocol to assign network layer IP addresses, DHCP snooping is a data link layer process in which a network switch examines incoming DHCP traffic to determine whether it originates from an authorized server and is arriving over the correct port
Which of the following types of server attacks is a flood guard designed to prevent?
Evil twin
Denial of service
DNS poisoning
Denial of service
One of the most common ways to stop a server from functioning properly is to flood it with traffic of a particular type. Denial-of-service attacks frequently use floods of ping messages or TCP SYN packets to attack a server. A flood guard is a filter implemented in a firewall or a standalone device to prevent the flood of traffic from reaching the intended target. A flood guard cannot prevent an evil twin attack, which is a rogue wireless access point, DNS poisoning, which is the insertion of incorrect resource records into a DNS server cache; or war driving, which the process of searching for unprotected wireless networks
Which of the following types of attacks on a network switch can a flood guard help to prevent?
DNS poisoning
War driving
MAC flooding
MAC flooding
By flooding a switch with frames containing many different false MAC addresses, an attacker can cause the legitimate entries in the switch’s MAC table to be aged out of the device and replaced with bogus entries. When the destinations of incoming frames are not found in the table, the switch broadcasts them throughout the network, where they can be more readily captured and compromised. A flood guard is a mechanism that prevents confirmed MAC address in the table from being replaced. A flood guard in a switch cannot protect against DNS poisoning, war driving, or evil twin attacks
Which of the following protocols is a root guard designed to affect?
EAP
STP
LDAP
STP
A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric. Root guards do not affect the Extensible Authentication Protocol (EAP), the Lightweight Directory Access Protocol (LDAP), or the Address Resolution Protocol (ARP)
Which of the following features helps to protect network switches from attacks related to the Spanning Tree Protocol (STP)? (Choose all correct answers.)
BPDU guard
Root guard
DHCP snooping
Geofencing
BPDU guard
Root guard
Bridging Protocol Data Units (BPDUs) are messages that switches running the Spanning Tree Protocol exchange to learn about the available paths through a switched network and the states of other switches. Switches should only receive BPDUs through ports that are connected to other switches. BPDU guard is a feature that prevents BPDU messages from arriving through ports connected to end systems, such as computers, thus preventing an attacker from manipulating the STP topology. A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric
Which of the following modifications occur when you configure the native VLAN on your network switches to use 802.1q tagging? (Choose all correct answers.)
Double-tagged packets are prevented.
BPDU guards are applied.
Root guards are applied.
Double-tagged packets are prevented.
To join ports on different switches into one VLAN, you designate a trunk port on each switch for the traffic between switches. Initially, the native VLAN uses the default VLAN1 for trunk traffic, and that traffic is left untagged. Untagged traffic is susceptible to attacks using double-tagged packets. When you configure the native VLAN to use tagging, this makes it impervious to double-tagging. Changing the native VLAN does not create root guards or BPDU guards, and all traffic continues to be switched, not routed
Which of the following protocols is responsible for inserting the tags into frames that enable switches to forward them to the appropriate VLAN?
IEEE 802.3x
IEEE 802.1X
IEEE 802.1q
IEEE 802.1q
The IEEE 802.1q protocol is responsible for VLAN tagging, a procedure that enables network switches to support virtual LANs (VLANs). Through the insertion of VLAN identifier tags into frames, switches can determine which VLAN each packet is destined for and forward it to the correct ports. IEEE 802.3x is one of the standards for wired Ethernet networks. IEEE 802.1X is a standard that defines a port-based network access control mechanism used for authentication on wireless and other networks. IEEE 802.11ac is a standard defining the physical and data link layer protocols for wireless networks
Which of the following best explains how tagging the native VLAN traffic can improve in-band switch management security?
By renaming the default VLAN
By preventing double-tagged packets
By encrypting in-band management traffic
By preventing double-tagged packets
When in-band switch management traffic, such as that generated by a Secure Shell (SSH) connection to a switch, uses the native VLAN, it is untagged by default. This is because the native VLAN is at first the default VLAN1, which is not tagged by the 802.1q protocol, leaving it open to certain types of double-tagging attacks. When you tag the native VLAN traffic, it is rendered immune to double-tagging. The default VLAN cannot be renamed, and SSH traffic is already encrypted by the sending workstation. Changing the native VLAN does not move the management traffic off that VLAN, although many authorities advocate the creation of a separate VLAN dedicated to in-band management traffic
Which of the following mitigation techniques helps organizations maintain compliance to standards such as HIPAA and FISMA?
File integrity monitoring
Role separation
Deauthentication
File integrity monitoring
File integrity monitoring (FIM) is a process that typically consists of a comparison of files in their current state to a known baseline copy stored elsewhere. The comparison can be direct, or it could involve the calculation of checksums or other types of file hashes. The object of the comparison is to detect changes in documents, both in content and in sensitive areas, such as credentials, privileges, and security settings, which might indicate the presence of a potential or actual security breach. Role separation applies to the deployment of applications on servers. Deauthentication is a type of wireless network attack. Tamper detection is a term used to describe a physical security measure for hardware
Which of the following functions cannot be implemented using digital signatures?
Integrity
Nonrepudiation
Segmentation
Segmentation
Digital signatures can be used for the following functions: authentication, to confirm that data originated from a specific individual; nonrepudiation, to prevent the sender from denying the data’s origin; and integrity, to confirm that the data has not been modified in transit. Segmentation is not a function of digital signatures
When Ralph digitally signs and encrypts a document with his private key, Alice can decrypt the document only by using Ralph’s public key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all correct answers.)
Ralph cannot deny having created the document.
No one has altered the document since Ralph sent it.
No one but Ralph can have created the document.
No one but Alice can decrypt and read the document.
Ralph cannot deny having created the document.
No one has altered the document since Ralph sent it.
No one but Ralph can have created the document.
Because only Ralph possesses the private key, only he could have signed and encrypted it. Although it is possible for someone other than Alice to have decrypted the document while it was in transit, using Ralph’s public key, that individual could not have modified it and encrypted it again
When Alice digitally signs and encrypts a document with Ralph’s public key, Ralph can decrypt the document only by using his private key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all correct answers.)
Alice cannot deny having created the document.
No one has altered the document since Alice sent it.
No one but Alice can have created the document.
No one but Ralph can decrypt and read the document.
No one has altered the document since Alice sent it.
No one but Ralph can decrypt and read the document.
Because anyone can obtain Ralph’s public key, the document can have been created, signed, and encrypted by anyone. However, because only Ralph possesses the private key that can decrypt the document, he can be sure that no one has modified it in transit
Which of the following types of servers are typically found in a DMZ? (Choose all correct answers.)
Domain controllers
DHCP servers
Email servers
Web servers
Email servers
Web servers
A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a demilitarized zone (DMZ) or a perimeter network. Administrators typically use a DMZ for servers that must be accessible by outside users, such as web and email servers. For security reasons, domain controllers and DHCP servers should be located on internal network segments
Which of the following are elements you can use to segment a network? (Choose all correct answers.)
RADIUS
DMZ
VLAN
LDAP
DMZ
VLAN
A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a demilitarized zone (DMZ) or a perimeter network. Administrators typically use a DMZ for servers that must be accessible by outside users, such as web and email servers. A virtual LAN (VLAN) is a logical network segment created within network switches. VLANs divide a switched fabric into network segments that function just like physical segments. RADIUS is an authentication, authorization, and accounting service, and LDAP is a directory services protocol; neither one is capable of segmenting networks
